Share this story

The outcome of the 2016 presidential election is history. But allegations of voter fraud, election interference by foreign governments, and intrusions into state electoral agencies' systems have since cast a pall over the system that determines who makes the laws and enforces them in the United States. Such problems will not disappear no matter what comes out of a presidential commission or a Congressional hearing.

"Amazon will not go out of business because one percent of its transactions are fraudulent," said David Jefferson, a visiting computer scientist at Lawrence Livermore National Laboratory and chairman of the Verified Voting Foundation, a non-governmental organization working toward accuracy, integrity, and verifiability of elections. "That's not the case for elections."

Jefferson's words came during his talk at the latest edition of DEFCON, the annual infosec event. Election hacks naturally became something of an overarching theme within the Caesar's Palace convention center this summer. In fact, there was an entire room dedicated solely to testing the reliability of US electronic voting systems. Called "Voting Village," the space was filled with more than 25 pieces of electoral hardware—voting machines and other electronic election-management equipment—in various stages of deconstruction. Any curious conference attendee, no matter where they fell within the conference's wide technical skill spectrum, could contribute to the onslaught of software and hardware hacks targeting the machines in this de facto lab.

The results were sobering. By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems…The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours.

The report published on October 10. Less than a month later, another election day is upon us here in the US. There isn't much reason to be more confident in electoral systems this year, either.

A recent history of electronic voting

Taking your best Mr. Robot-style hack-fu to the US electoral system wasn't always possible, of course. It was the outcome of another bitterly fought election—in 2000, between George W. Bush and Albert Gore—that drove the US to legislate the adoption of new technologies for voting. The shift was supposed to restore faith in the electoral system after swaths of the voting public had butterfly ballot nightmares. But the Help America Vote Act of 2001 (HAVA), which funded the creation of the Election Assistance Commission and the adoption of electronic voting systems by state and local governments, instead introduced a whole new set of uncertainties to our election systems.

Use-or-lose funding and a loose patchwork of standards led to early issues, and many of these problems are still there. One of the biggest culprits is the fact that the voting security standards, as set by the Election Assistance Commission, are still voluntary. Some systems therefore continue to run vulnerable operating systems or other technologies that are demonstrably vulnerable. And even when systems have been determined to be vulnerable, they remain in use for a long time—largely because the money used to buy them in the first place is long gone.

Further Reading

That's not to say that electronic voting is inherently a bad idea. Worldwide, electronic voting has caught on in places like Switzerland, Spain, Brazil, Australia, India, and Canada, for instance. US elections are complex undertakings—particularly primaries, where ballots vary both by party and a voter's residence—and part of the intent of HAVA was to make ballots more accessible to people with disabilities who may have struggled with a mechanical or paper punch system (like those infamous butterfly ballots). Electronic systems also make vote counting and reporting somewhat less prone to human error and outright fraud by eliminating the human clerical steps involved in elections.

But while electronic voting systems may make it easier to run elections, they introduce a host of new problems—not just those high-tech headaches from DEFCON, but even the basic issue of trust.

"They're voting computers," said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania and a researcher focused on computer security and cryptography. "So understanding what they do is as easy or as hard as understanding what a computer does." Whether or not we believe that the companies making electoral systems are capable of building reliable computer systems "is actually kind of central to whether we regard the government we have as being legitimately elected," Blaze concluded.

Broward County Canvassing Board Member Judge Robert Rosenberg (L) shows a ballot to an unidentified observer at the Broward County Courthouse in Ft. Lauderdale, Florida in November 2000. This is why we can't have nice things.

Getty Images

Trustworthy computing?

"The question that the electronic voting community has asked is 'Are [electronic voting] machines better against this traditional threat than the paper systems we knew before?'" Blaze said during his DEFCON presentation. "The answer to that question is and has been mostly 'no.'"

In previous examinations of electronic tabulation systems, known in the industry as Direct Recorder Electronic (DRE) voting machines, Blaze said researchers largely found "horrific" vulnerabilities. "We were literally limited only by our typing speed in writing them down," he said. "You open the box, and they hit you in the face." Some of those vulnerabilities were documented by Blaze and other researchers as part of the 2007 California Top-To-Bottom Review and Ohio EVEREST Review.

While there has been some consolidation in the voting systems market over the past decade, DRE machines remain vulnerable in 2017 largely because they rely on antiquated, general-purpose technologies that are rarely updated. And while vendors proclaim their systems to be secure, the accuracy of those claims depends a great deal on how "secure" is defined.

Further Reading

"When someone asks you to determine 'are these things secure?' the first question you should ask is 'What does secure mean?'" Blaze said. In voting, he suggests a secure goal is that each person can only vote once and that fraudulent votes can't be cast—either through "ballot stuffing" with nonexistent voters' ballots, the practice of selling votes, or by administrators changing others' votes. These are the concerns the traditional threat model of election systems has focused on: stopping cheating in elections.

The National Institute of Standards and Technology (NIST) Election Cybersecurity Working Group is making an effort to improve standards for security in collaboration with the Election Assistance Commission. But Joshua Franklin, an IT security engineer at NIST who serves as co-chair of the working group, described the challenges in getting states and counties to adopt such voluntary guidance in full.

"These systems only get one to five updates over their lifecycle," Franklin explained. And those updates are hard to deploy—one update required electoral officials to receive PC-MCIA cards "to install a replacement for an X.509 certificate that had expired in 6,000 machines," he said.

Today, the US electoral system has become highly dependent on technology built on systems that few people put in charge understand. The fundamental weaknesses of decade-old Internet software and operating systems are part of the foundation of America's electoral process, and they're ripe for disruption or manipulation. It means an entirely different threat model has to emerge—"secure" may now mean something totally different from the traditional approach.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat